About the EIF

The EIF is characterised by a multi-layered control environment embedded in the EU institutional framework and aligned with the financial sector's principles and best practices.

The EIF's first layer of control is exercised through internal processes and procedures developed and implemented by the Executive Management by means of financial and operational controls designed to enable effective and efficient day-to-day operations, ensure reliable financial reporting, compliance with applicable rules and policies and achieve the EIF's objectives.

In this context, the EIF's procedural and organisational framework sets out the competences, authorities and reporting lines within the EIF, with a view to ensuring segregation of duties both horizontally, through the interaction between front office, middle office and back office services and vertically, through central control by the Board of Directors of the decision-making process in relation to all business activities.

The second layer of control consists of independent risk and compliance functions which implement an ex-ante risk assessment and reporting framework for each transaction proposed for approval, complemented by ex-post risk monitoring where relevant (see sections on Risk Management and Legal Service).

The EIF maintains an Internal Control Framework (ICF) and produces an ICF report annually. The ICF relies in particular on a risk control matrix outlining the main operational risks to which the EIF is exposed. Through the ICF, the Executive Management is in a position to obtain the necessary comfort that key risks related to the EIF's business activities are properly identified, that control objectives are defined, that significant risks are mitigated and that the controls designed to achieve these objectives are in place and are operating effectively.

In 2019, the ICF was complemented with an independent opinion from Deloitte on the design and effectiveness of the key controls of the mandate-related processes throughout the year, in line with the internationally recognised ISAE-3402 standard (type 2 report). This ISAE 3402 report with the same scope was completed by KPMG in 2019.

The ICF and the ISAE-3402 report form the basis for the confirmation by the Chief Executive to the Audit Board that the main risks have been identified and mitigated.

The risks, control objectives and agreed improvements described in the ICF are reviewed by Internal Audit, which, on the basis of the audits and the follow-up on agreed action plans performed, expresses an opinion on the achievement of the control objectives in the audited areas and on the design and effectiveness of the related internal controls.

The third layer includes both internal and external audit activities that are coordinated by the Audit Board. The Audit Board, as an oversight and controlling body, conducts its activity in accordance with the standards of the audit profession and relies on both internal and external audit assurances in order to confirm annually that, to the best of its knowledge and judgement, the operations of the EIF have been carried out in compliance with the Statutes and the Rules of Procedure and that the financial statements give a true and fair view of the financial position of the EIF as regards its assets and liabilities and of the results of its operations for the financial year under review. This information is included in the annual report submitted by the Board of Directors to the EIF's Annual General Meeting.

In order to discharge its duty in relation to the financial statements, the Audit Board may have recourse to external auditors. The audit of the financial statements of the EIF for the year ending 31 December 2019 was carried out by KPMG Luxembourg, as external auditor.

KPMG performs its audits in accordance with the International Standards on Auditing (ISA) and is committed to inform the EIF Executive Management and the Audit Board of any material weaknesses in the design or implementation of internal controls over financial information that come to its attention during the audit of the financial statements. While performing the audit of the annual accounts, KPMG is acting independently, fulfilling the duty imposed on it by the Code of Professional Ethics adopted in Luxembourg by the Commission de Surveillance du Secteur Financier (CSSF).

Internal Audit (which is outsourced to EIB Internal Audit) examines and evaluates the relevance, design and effectiveness of the internal control systems and procedures within the EIF.

To that end, a yearly audit plan covering all key processes of the EIF is established, on the basis of a risk-assessment methodology, in alignment with the ICF. The plan is discussed with the Executive Management and the external auditor prior to being submitted to the Audit Board for approval. Internal Audit examines the EIF's activities in order to support the Executive Management's statement on the design and effectiveness of internal controls, risk management and administration. Internal Audit reports on its findings by means of recommendations and agreed action plans to improve the EIF's control and working procedures.

The Head of Internal Audit reports regularly on the execution of the internal audit programme to the Executive Management, the Audit Board and the Chairman of the Board of Directors.

Internal Audit adheres to the professional and ethical guidance issued by the Institute of Internal Auditors and the Information Systems Audit and Control Association and is subject to a regular quality assurance and improvement programme that covers all aspects of the internal audit activity. Moreover, Internal Audit shall comply with the internal policy statements governing their actions. In addition to the maintenance of an internal control environment in line with the highest standards of the financial and banking sector, the EIF is subject to periodic reviews by independent control bodies such as the European Court of Auditors (ECA), the Internal Audit Service of the EC and national or regional authorities entrusted with the task of monitoring the correct utilisation of funds under the relevant rules and within their respective remits.

The EIF’s mission is supported through a robust and coherent approach to risk management which seeks to ensure the highest quality standards for its operations and the best corporate rating from the major rating agencies.

Risk management is embedded in the EIF’s corporate culture and is based on the so-called “three-lines-of-defence” model, which permeates all areas of the EIF’s business functions and processes. These are: first line – front office; second line – independent risk management and compliance; and third line – internal and external audit.

Early in 2019, the Risk Management function underwent a substantial reorganisation with the creation of a Compliance department and a Financial and Corporate Risk department, each with two divisions: a Compliance and a Privacy division for the Compliance department and a Transaction and Portfolio Management Division and a Corporate Risk Management Division for the Financial and Corporate Risk department. This reorganisation was based on an identification of key risk management processes each of which should be addressed by a dedicated team, established as Divisions in either of the referred departments. This new organisation should both equip EIF Risk Management to address the challenges expected from the upcoming policy initiatives within EIB Group and under the new EU budgetary period and create a more focused, as well as more cooperative, approach to the management of financial and non-financial risks in the EIF.

The highly dynamic business environment and the strong growth of the EIF’s transaction volumes considerably challenged the capital and limit management in place with the purpose of ensuring the EIF‘s capital sustainability in line with the applicable Group policies. In 2019, the EIF formalised its ICAAP and ILAAP processes, which will contribute to the relevant future Group capital and liquidity management processes. The medium term capital planning allowed the postponement of a proposed capital increase to 2022, corresponding to the start of a new EU budgetary period.

The cooperation between the EIF and EIB on risk management has been further intensified to prepare the ground for the establishment of the new Group Chief Risk Officer function expected in 2020. This found its expression not least in various new Group Committees, such as the Information Security Committee (ISeC) or the Group Risk Management Steering Committee. Joint projects between the EIB and the EIF are planned to advance further, in particular on compliance with Best Banking Practices (BBP) and, more specifically, the data aggregation standards under BCBS 239. In this context, the EIF adopted Best Market Practices Guidelines and the relevant process to identify and monitor Best Practices compliance, which will be fully implemented in 2020.

The mandate scoring methodology, developed in the course of 2018 on the basis of the contact with the UN Development Programme (UNDP) was adopted in September 2019. This methodology forms the basis of further considerations on the parameterisation and measurement of policy relevance and impact, which will be of increasing importance in the upcoming EU Budgeting period.

Compliance The EIF’s compliance risk assessment strives to protect the institution against risks that could have an adverse effect on its reputation. Under the terms of its Compliance Charter, the Compliance team assesses - in line with best market practices and in line with the EIB Group’s policy framework – the (i) institutional, (ii) transactional and (iii) ethical aspects of the EIF’s compliance risk.

Ensuring the permanence of the compliance function, as well as the independence of the compliance risk assessment, as a matter of best practice, is a key requirement for any financial institution. In the EIF, the principles of permanence and independence are included in the EIF Compliance Charter and materialise through the unrestricted direct access of the Chief Compliance Officer to the Chief Executive, the Deputy Chief Executive, the Board of Directors and the Audit Board.

The compliance risk assessment in the transactional area follows a risk-based approach and is reflected in the independent compliance opinion provided to the EIF decision-making bodies. It is implemented through compliance risk scorings provided in the compliance opinions, in particular on the risk of the EIF being involved (or used) in (i) money laundering and terrorism financing cases and (ii) tax avoidance schemes.

Data protection In order to ensure compliance with the new data protection regulation for EU institutions and bodies (Regulation EU 2018/1725), the Data Protection Officer (DPO) took a number of initiatives, including but not limited to giving regular training to staff and senior management, updating the EIF policy framework and providing ongoing support to the EIF Services.

In particular, the DPO ensured:

- maintenance of the inventory of records;

- regular update of the data protection statements;

- assistance in carrying out Data Protection Impact Assessments;

- development of a surveillance programme aimed at verifying ongoing compliance with the new data protection regulation;

- regular cooperation with the European Data Protection Supervisor.